Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

adal-node depends on @xmldom/xmldom that has a security vulnerability #5302

Closed
carpusherw opened this issue Oct 14, 2022 · 12 comments · Fixed by #5300
Closed

adal-node depends on @xmldom/xmldom that has a security vulnerability #5302

carpusherw opened this issue Oct 14, 2022 · 12 comments · Fixed by #5300
Assignees
@sameerag
Labels
adal-node dependencies Pull requests that update a dependency file public-client Issues regarding PublicClientApplications

Comments

@carpusherw
Copy link

Core Library

ADAL Node (adal-node)

Core Library Version

0.2.3

Wrapper Library

Not Applicable

Wrapper Library Version

N/A

Public or Confidential Client?

Public

Description

The adal-node package has a dependency on @xmldom/xmldom which in turn has a security vulnerability. Please see GHSA-9pgh-qqpf-7wqj

Error Message

No response

Msal Logs

No response

MSAL Configuration

N/A

Relevant Code Snippets

https://github.com/advisories/GHSA-9pgh-qqpf-7wqj

Reproduction Steps

GHSA-9pgh-qqpf-7wqj

Expected Behavior

Package should be installable without any npm audit errors

Identity Provider

Azure AD / MSA

Browsers Affected (Select all that apply)

None (Server)

Regression

No response

Source

External (Customer)
@carpusherw carpusherw added bug-unconfirmed A reported bug that needs to be investigated and confirmed question Customer is asking for a clarification, use case or information. labels Oct 14, 2022
@ghost ghost added the Needs: Attention 👋 Awaiting response from the MSAL.js team label Oct 14, 2022
@github-actions github-actions bot added adal-node public-client Issues regarding PublicClientApplications labels Oct 14, 2022
@ghost ghost assigned tnorling Oct 14, 2022
@carpusherw carpusherw mentioned this issue Oct 14, 2022
Open
@carpusherw
Copy link
Author

Oh I just saw this #5300

@tnorling tnorling linked a pull request Oct 14, 2022 that will close this issue
Resolve dependabot alerts #5300
Merged
@tnorling
Copy link
Collaborator

The linked pull request will address this. Please be aware that adal-node is deprecated and will no longer be receiving any updates as of December 31st, 2022 You should migrate to msal-node ASAP.

@ghost ghost added answered Question has received "first qualified response" Needs: Author Feedback Awaiting response from issue author and removed Needs: Attention 👋 Awaiting response from the MSAL.js team labels Oct 14, 2022
@carpusherw
Copy link
Author

The linked pull request will address this. Please be aware that adal-node is deprecated and will no longer be receiving any updates as of December 31st, 2022 You should migrate to msal-node ASAP.

Cross post to Azure/ms-rest-nodeauth#146

@ghost ghost added Needs: Attention 👋 Awaiting response from the MSAL.js team and removed Needs: Author Feedback Awaiting response from issue author labels Oct 17, 2022
@ghost ghost removed the Needs: Attention 👋 Awaiting response from the MSAL.js team label Oct 17, 2022
@carpusherw
Copy link
Author

@tnorling, would you release a new version, supposedly 0.2.4?

@tnorling
Copy link
Collaborator

Yes, we have a release currently scheduled for next Monday. Will make sure this gets out. cc. @sameerag

@bejuzb0
Copy link

bejuzb0 commented Nov 3, 2022

Any updates on adal-node 0.2.4 ? @tnorling I wasn't able to find any new version.

@tnorling
Copy link
Collaborator

tnorling commented Nov 3, 2022

Apologies the release slipped. @sameerag can provide updates. Reopening this until the new version is released

@tnorling tnorling reopened this Nov 3, 2022
@ghost ghost added the Needs: Author Feedback Awaiting response from issue author label Nov 3, 2022
@tnorling tnorling assigned sameerag and unassigned tnorling Nov 3, 2022
@sameerag
Copy link
Member

sameerag commented Nov 3, 2022

Since this is a one off release on an old branch, we hit some snag in the process. I am on it to resolve this and will update here as soon as I can. Thanks for reopening @tnorling!

@bejuzb0
Copy link

bejuzb0 commented Nov 7, 2022

Thank you ! Looking forward to an update

@ghost
Copy link

ghost commented Nov 12, 2022

@carpusherw This issue has been automatically marked as stale because it is marked as requiring author feedback but has not had any activity for 5 days. If your issue has been resolved please let us know by closing the issue. If your issue has not been resolved please leave a comment to keep this open. It will be closed automatically in 7 days if it remains stale.

@ghost ghost added the no-issue-activity Issue author has not responded in 5 days label Nov 12, 2022
@carpusherw
Copy link
Author

I believe the label is added unintentionally and we are still waiting for the update.

@ghost ghost added Needs: Attention 👋 Awaiting response from the MSAL.js team and removed Needs: Author Feedback Awaiting response from issue author no-issue-activity Issue author has not responded in 5 days labels Nov 14, 2022
@tnorling tnorling added dependencies Pull requests that update a dependency file and removed question Customer is asking for a clarification, use case or information. answered Question has received "first qualified response" Needs: Attention 👋 Awaiting response from the MSAL.js team bug-unconfirmed A reported bug that needs to be investigated and confirmed labels Nov 14, 2022
@sameerag
Copy link
Member

sameerag commented Dec 8, 2022

Released 0.2.4 with this change.

@sameerag sameerag closed this as completed Dec 8, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sameerag sameerag

Labels
adal-node dependencies Pull requests that update a dependency file public-client Issues regarding PublicClientApplications
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Resolve dependabot alerts AzureAD/microsoft-authentication-library-for-js
4 participants
@tnorling @sameerag @bejuzb0 @carpusherw